UPDATE 2/7/15: Go visit the updated article.
The new EU General Data Protection Regulation is on its way. The EU Parliament approved the text in March. The new EU Commission president has recently given a time scale of 6 months to conclude negotiations with member states. Some reckon it won’t be in force until 2017. Others say it could be as early as next year.
Cloud providers – are you ready?
1. Cloud providers will be caught directly
New obligations will extend to cloud providers as “data processors”. While the primary obligations will still fall on the customer as “data controller”, cloud providers will have to maintain certain documents and cooperate with the supervisory authority.
2. Mandatory breach notification
If you leak or lose customer data, the customer will not be able to keep silent and will have to notify the supervisory authority. Customers will be keen to ensure they don’t have to notify by ensuring the provider keeps the data secure in the first place. But if there is a problem, expect them to name and shame you. Of course, some providers must notify under existing regs.
3. Massive fines
Fines for the most serious breaches could be up to 5% of global turnover. Data breaches could become very expensive all of a sudden. Customers are likely to seek reassurances from providers and may look to get them to carry this loss if they are the cause. Expect contract wrangling on this point.
4. Data Protection officer
The customer will have to appoint someone as their data protection officer and inform its users of who that is. In turn they may ask the provider to nominate someone to answer data protection queries. This need not be a new role but providers should be prepared to give someone the responsibility.
There’s more. Such as the need to register with only one body across the whole EU rather than, potentially, all of them. There’s also the real “right to be forgotten” that will be enshrined in law, not just the halfway house one under the Google case. Again, these will primarily fall on cloud customers who store data with you. Customers may also scrutinise more closely whether the provider is truly data protection compliant and not just using Safe Harbor as a pretty but useless badge.
I suggest you get ready for the changes now while there’s still time.